Open carrythebanner opened 1 month ago
yeah, it looks like the reason that title, etc. are okay -- is because they go through mustache, and mustache has proper escaping.
buildSortedDatesListHTML()
does it manually, without the escaping
"<input ",
"type='text' ",
"class='newsflash' ",
"value='" + dateStatusNewsFlash,
"'>",
making the <li>
a mustache template might be a decent fix
As noted in #799 there looks to be some unexpected clipping of the newsflash message.
It seems that the initial value is saved to the database properly and also returned properly via
retrieve_event
. When the message is populated into the form, however, the string is assigned to thevalue
attribute of an input and apparently not properly escaped.https://github.com/shift-org/shift-docs/blob/ac9606890ebd336d6db25bfa6babd1ddbdece32e/site/themes/s2b_hugo_theme/assets/js/cal/addevent.js#L368 https://github.com/shift-org/shift-docs/blob/ac9606890ebd336d6db25bfa6babd1ddbdece32e/site/themes/s2b_hugo_theme/assets/js/cal/datepicker.js#L24
Example
Listing
11901
(calevent id) has 2 occurrences,19594
and19780
(caldaily ids).The full newflash message should be:
Moved ride to today should be more acclimated to everyone's liking. I needed more time to acclimate to the heat before I did this with you guys..
… but only the portion up to the first quote mark ('
) is shown:Moved ride to today should be more acclimated to everyone
Presumably, if the event were saved in this state, the truncated message would be sent to the server and the rest of the message would be lost.